Submission to the Inquiry into the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018

Dear Mr Hastie

The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to provide comments to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (the Act).

The OAIC has previously provided comments on an exposure draft of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the Bill) to the Department of Home Affairs and on the first reading version of the Bill to the PJCIS.[1]

While the amendments introduced and passed on 6 December 2018 addressed some of the issues raised by the OAIC in its previous submissions, we consider that privacy impacts remain that require further mitigation.

The OAIC’s previous submissions included recommendations about:

clarifying terms and limiting the acts or things that could be listed in a request or notice

providing for greater oversight and transparency around the issuing of technical assistance requests (TARs)

The Act contains provisions addressing some of these matters. For example:

extending the decision-making criteria of reasonableness, proportionality, practicability and technical feasibility to TARs, including that privacy impacts be considered when assessing whether a TAR is reasonable and proportionate[2]

providing an option for a designated communications provider (provider) to request an assessment of whether a proposed technical capability notice (TCN) should be given[3]

extending the prohibition on systemic weaknesses and systemic vulnerabilities to apply to TARs, in addition to technical assistance notices (TANs) and TCNs[4]

providing for review by the Independent National Security Legislation Monitor.[5]

However, some of the issues identified by the OAIC remain. In particular, this submission recommends:

further clarifying the terms ‘systemic weakness’ and ‘systemic vulnerability’, and their interaction with s 317ZG

including mechanisms for judicial oversight over TANs and TCNs

if our recommendation regarding judicial oversight is not accepted, then decisions to issue a TAN or TCN should be subject to judicial review under the Administrative Decisions (Judicial Review) Act 1997 (ADJR Act)

making technical assessments mandatory rather than at the request of a provider and extending the regime to apply to TARs and TANs, in addition to TCNs

making technical assessments a necessary part of an application to a judge for issuing or varying a TAN or TCN.

About the OAIC and the Privacy Act 1988

The Privacy Act 1988 (Privacy Act) confers on the Australian Information Commissioner and Privacy Commissioner (the Commissioner) a range of privacy regulatory functions and powers.

While Australia’s privacy laws recognise that the protection of individuals’ privacy is not an absolute right, any instance of interference must be subject to a careful and critical assessment of its necessity, legitimacy and proportionality.[6] For law enforcement initiatives that adversely impact privacy, this includes demonstrating the necessity of the proposal through evidence, and ensuring that the scope of proposed measures is as clear and transparent as possible. Where an adverse impact on privacy is necessary, a commensurate increase in oversight, accountability and transparency is required, to strike an appropriate balance between any privacy impacts and law enforcement and national security objectives.

A central principle in the Privacy Act is the protection of personal information—regulated entities must take reasonable steps to protect the security of personal information[7]and must notify individuals and the OAIC in the event of a serious data breach.[8] These are important obligations which seek to safeguard the security of individuals’ personal information held by regulated organisations and agencies.

Clarifying ‘systemic weakness’ and ‘systemic vulnerability’

Section 317ZG of the Act limits a TAR, TAN or TCN from requesting or requiring a provider to implement or build a systemic weakness or systemic vulnerability into a form of electronic protection, or from rectifying such a weakness or vulnerability.[9]

The OAIC had previously recommended that these terms be defined in the legislation. Clearly defining the terms would provide clarity as to the intended scope of the limitation, which in turn would assist in determining whether the privacy impacts of a notice were reasonable, necessary and proportionate in the circumstances.

The Act includes definitions for these terms.[10] However, submissions to this inquiry from industry stakeholders and technical experts indicate that uncertainty about the meaning of ‘systemic weakness’ and ‘systemic vulnerability’ remain.[11]

We acknowledge that these terms are complex and that the Act will apply in a wide range of circumstances. However, given the important protections that the OAIC understands s 317ZG is intended to provide, and the subsequent risks to the security of personal information if the meaning of these terms is not sufficiently clear, we recommend that further consideration be given to the way these terms are defined in the legislation and how they interact with s 317ZG. Such consideration could include further consultation with industry.

Judicial oversight

The OAIC notes concerns from the regulated community and others about how the requests and notices will be issued in practice. In particular, several stakeholders have expressed concerns about how criteria will be assessed in a consistent way, including by decision-makers in agencies seeking to use the industry assistance framework.[12] In order to build trust and confidence in the framework, and as previously submitted, we recommend that the Act be amended to introduce independent judicial oversight before a TAN or TCN is issued or varied. An application to a judge to issue or vary a TAN or TCN should be accompanied by a technical assessment that we recommend should be mandatory.

We also note that decisions under this Act are not subject to judicial review under the ADJRAct. In the event that the above recommendation regarding judicial oversight of TANs and TCNs is not adopted, then we recommend allowing judicial review under the ADJR Act. This would provide judicial review avenues under both the ADJR Act and the original jurisdiction of the High Court or the Federal Court of Australia.[13]

TCN assessments

Under s 317WA, a provider may request an assessment of whether a TCN should be given. If so requested, the Attorney-General must appoint two assessors, one of whom has technical knowledge and the other of whom has previously served as a judge.[14] The assessors must consider a range of factors including reasonableness, proportionality, practicability, technical feasibility and whether the TCN is the least intrusive measure that would be effective in achieving the legitimate objective of the proposed TCN. The assessors must give the greatest weight to whether the proposed TCN would contravene the limitation on systemic weaknesses and vulnerabilities in s 317ZG.[15] The Attorney-General must have regard to the report that the assessors produce when deciding whether to proceed to give the TCN,[16] but is not obliged to refrain from issuing a TCN even if the assessors determine that it should not be given.

The OAIC welcomes the inclusion of the assessment provision in s 317WA, and appreciates the inclusion of a list of criteria that must be considered by the decision-maker when assessing whether a TAR, TAN or TCN[17] is reasonable and proportionate, including the interests of national security and law enforcement, the legitimate interests of the provider, the necessity of the requirements, and the legitimate expectations of the Australian community relating to privacy and cyber security.

However, we recommend extending the assessment mechanism to enhance its effectiveness. Consideration should be given in particular, to:

extending s 317WA to apply to TARs and TANs, in addition to TCNs, reflecting that the prohibition on systemic weaknesses and systemic vulnerabilities in s 317ZG applies to TARs, TANs and TCNs

making the assessment mandatory, rather than at the request of a provider

making technical assessments a necessary part of an application to a judge for issuing or varying a TAN or TCN.

The OAIC trusts this further information is of assistance to the Committee.

[8] Part IIIC of the Privacy Act. Entities with security obligations under the Privacy Act are required to notify individuals and the OAIC of an ‘eligible’ data breach. A data breach is ‘eligible’ if it is likely to result in serious harm to any of the individuals to whom the information relates. More information on eligible data breaches is available on the OAIC’s website at <https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response>.

[12] See, for example, submissions from the Law Council of Australia (submission 4) at page 41; joint submission from the Communications Alliance, the Australian Industry Group (Ai Group), the Australian Information Industry Association (AIIA), the Australian Mobile Telecommunications Association (AMTA), the Digital Industry Group Inc (DIGI) and the Information Professionals Industry Association (IPTA) (submission 3) at page 4; and BSA | The Software Alliance (submission 36) at page 4.